Skip to content

Prevent project maintainers from creating or modifying Project Owners

charlie ablett requested to merge cablett-project-owner-maintainer into master

What does this MR do and why?

Split off from https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/2335/ (where there is a lot of discussion 😅)

This MR prevents a project maintainer from doing the following in the project:

  • creating an OWNER member
  • promoting non-owners to OWNER
  • demoting an OWNER member
  • destroying an OWNER

How to set up and validate locally

On master branch

Given a project (id 42), a non-admin project maintainer user (id 25), and an unrelated user (id 70) use the API to do the following:

  • Create a new OWNER member with another user
$ curl --request POST --header "PRIVATE-TOKEN: glpat-<token>" --data "user_id=70&access_level=50" "https://gdk.test:3443/api/v4/projects/42/members"
{"id":70,"username":"test1","name":"super person","state":"active","avatar_url":"https://snip","web_url":"https://gdk.test:3443/test1","access_level":50,"created_at":"2022-03-29T09:09:16.005Z","expires_at":null,"membership_state":"active"}
  • Promote another user to OWNER
$ curl --request PUT --header "PRIVATE-TOKEN: glpat-<token>" "https://gdk.test:3443/api/v4/projects/42/members/70?access_level=50"
{"id":70,"username":"test1","name":"super person","state":"active","avatar_url":"https://snip","web_url":"https://gdk.test:3443/test1","access_level":50,"created_at":"2022-03-29T09:09:16.005Z","expires_at":null,"membership_state":"active"}
  • Demote another user from OWNER (you'll have to promote someone OR set OWNER via console because the UI doesn't allow it yet)
$ curl --request PUT --header "PRIVATE-TOKEN: glpat-<token>" "https://gdk.test:3443/api/v4/projects/42/members/70?access_level=20"
{"id":70,"username":"test1","name":"super person","state":"active","avatar_url":"https://snip","web_url":"https://gdk.test:3443/test1","access_level":20,"created_at":"2022-03-29T09:09:16.005Z","expires_at":null,"membership_state":"active"}
  • Promote self to OWNER
$ curl --request PUT --header "PRIVATE-TOKEN: glpat-<token>" "https://gdk.test:3443/api/v4/projects/42/members/25?access_level=50"
{"id":25,"username":"user25","name":"Aleen Lehner","state":"active","avatar_url":"https://snip","web_url":"https://gdk.test:3443/user25","access_level":50,"created_at":"2022-03-07T23:49:28.006Z","expires_at":null,"membership_state":"active"}
  • Destroy an existing OWNER membership
$ curl --request DELETE --header "PRIVATE-TOKEN: glpat-<token>" "https://gdk.test:3443/api/v4/projects/42/members/132"

On this branch

Try the above, and they should not work - 403 Forbidden should be the result (see spec/requests/api/members_spec.rb for exact error codes)

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by charlie ablett

Merge request reports